The University identifies, reports, and corrects information resource security flaws.


  • The information resource owner, or designee, is responsible for ensuring that all requirements of this Control are satisfied.


  • The university is responsible for:

  • 1

    Identifying, reporting, and correcting information resource security flaws as described in RA-5.

  • 2

    Testing software and firmware updates related to security flaw remediation for effectiveness and potential side effects before installation as described in CM-1.

  • 3

    Installing security-relevant software and firmware updates within timelines as specified in CM-1.

  • 4

    Incorporating security flaw remediation into the unit’s configuration management process (CM-3).